From owner-freebsd-questions@FreeBSD.ORG  Thu Jul 19 07:52:59 2012
Return-Path: <owner-freebsd-questions@FreeBSD.ORG>
Delivered-To: questions@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id F3250106566B
	for <questions@freebsd.org>; Thu, 19 Jul 2012 07:52:58 +0000 (UTC)
	(envelope-from m.seaman@infracaninophile.co.uk)
Received: from smtp.infracaninophile.co.uk (smtp6.infracaninophile.co.uk
	[IPv6:2001:8b0:151:1:3cd3:cd67:fafa:3d78])
	by mx1.freebsd.org (Postfix) with ESMTP id 7CB9B8FC16
	for <questions@freebsd.org>; Thu, 19 Jul 2012 07:52:58 +0000 (UTC)
Received: from seedling.black-earth.co.uk (seedling.black-earth.co.uk
	[81.187.76.163]) (authenticated bits=0)
	by smtp.infracaninophile.co.uk (8.14.5/8.14.5) with ESMTP id
	q6J7qs5o058739
	(version=TLSv1/SSLv3 cipher=DHE-RSA-CAMELLIA256-SHA bits=256 verify=NO);
	Thu, 19 Jul 2012 08:52:54 +0100 (BST)
	(envelope-from m.seaman@infracaninophile.co.uk)
X-DKIM: OpenDKIM Filter v2.5.2 smtp.infracaninophile.co.uk q6J7qs5o058739
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
	d=infracaninophile.co.uk; s=201001-infracaninophile; t=1342684374;
	bh=E+tKWe7aAeegIkebtbJsd3yCgGtvmWO4XtOpfJJ4F3w=;
	h=Date:From:To:CC:Subject:References:In-Reply-To:Content-Type:
	Message-ID:Mime-Version;
	b=fkrNd3nefTgJecSCXvuBdrWQCC0bv6lZ9inJI1YabUWJkdX+NNr1PDShNFILAu7Wy
	JyC8u5f5BS2BY0XeUKgdYD4ZdXW76seu8huP9UbJIRdMoQzdl9K7boE4eWUUr4DuyT
	MUUagbn5yqOug4v9/H+tMI9b4Y6fytLbKF1SxH7Y=
Message-ID: <5007BCCD.3030403@infracaninophile.co.uk>
Date: Thu, 19 Jul 2012 08:52:45 +0100
From: Matthew Seaman <m.seaman@infracaninophile.co.uk>
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.6;
	rv:14.0) Gecko/20120713 Thunderbird/14.0
MIME-Version: 1.0
To: =?ISO-8859-1?Q?Erik_N=F8rgaard?= <norgaard@locolomo.org>
References: <5007AF61.4090207@locolomo.org>
In-Reply-To: <5007AF61.4090207@locolomo.org>
X-Enigmail-Version: 1.4.3
OpenPGP: id=60AE908C
Content-Type: multipart/signed; micalg=pgp-sha1;
	protocol="application/pgp-signature";
	boundary="------------enigCECD6A6BC4F6F3925DA0EBD5"
X-Virus-Scanned: clamav-milter 0.97.5 at lucid-nonsense.infracaninophile.co.uk
X-Virus-Status: Clean
X-Spam-Status: No, score=-1.8 required=5.0 tests=ALL_TRUSTED,AWL,BAYES_00,
	DKIM_ADSP_ALL,DKIM_SIGNED,T_DKIM_INVALID autolearn=no version=3.3.2
X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on
	lucid-nonsense.infracaninophile.co.uk
Cc: questions@freebsd.org
Subject: Re: Help solving the sysadm's nightmare
X-BeenThere: freebsd-questions@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: User questions <freebsd-questions.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>, 
	<mailto:freebsd-questions-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-questions>
List-Post: <mailto:freebsd-questions@freebsd.org>
List-Help: <mailto:freebsd-questions-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>, 
	<mailto:freebsd-questions-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Thu, 19 Jul 2012 07:52:59 -0000

This is an OpenPGP/MIME signed message (RFC 2440 and 3156)
--------------enigCECD6A6BC4F6F3925DA0EBD5
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: quoted-printable

On 19/07/2012 07:55, Erik N=F8rgaard wrote:
> So, how can I
>=20
> - determine if files are actually unix executables or just plain files
> (or windows executables)?

file(1) should help.

> - determine which users actually need read or write access to these fil=
es?

This is in most cases entirely a local policy matter.  As in: you write
up a proposal for how access control policy should be implemented and
get it signed off by your managers before applying it.

You'll need to present things with rational justifications: something
along the lines of:

    Only the web-dev team and root (sys-admins) need write access to
       the doc-root
    www-data pseudo user (the UID apache runs as) needs read access to
       doc-root

> the second is what I think is the most difficult, I need some lsof
> daemon to log access...

If you enable system accounting, I believe the detailed logs should show
you all of the fileio broken down by user.  Note that on a busy server,
system accounting can generate a *large* amount of data, and it is
likely to affect performance, so use with care.

See lastcomm(1), sa(8), accton(8), acct(5)

	Cheers,

	Matthew

--=20
Dr Matthew J Seaman MA, D.Phil.                   7 Priory Courtyard
                                                  Flat 3
PGP: http://www.infracaninophile.co.uk/pgpkey     Ramsgate
JID: matthew@infracaninophile.co.uk               Kent, CT11 9PW


--------------enigCECD6A6BC4F6F3925DA0EBD5
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: OpenPGP digital signature
Content-Disposition: attachment; filename="signature.asc"

-----BEGIN PGP SIGNATURE-----
Version: GnuPG/MacGPG2 v2.0.16 (Darwin)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAlAHvNUACgkQ8Mjk52CukIwUSACdHboinXsBxLtGLpkLvszubRad
shYAn3MNGGaFD5QBogOnvVtChZAbEAc4
=ymt9
-----END PGP SIGNATURE-----

--------------enigCECD6A6BC4F6F3925DA0EBD5--